Re: Transfer-codings, mandatory content-coding support and intermediaries from Martin Thomson on 2014-04-21 (ietf-http-wg@w3.org from April to June 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 21 Apr 2014 09:35:18 -0700
To: Albert Lunde <atlunde@panix.com>
Cc: Matthew Kerwin <matthew@kerwin.net.au>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXSAo5mSP9UBnGzAio2_PJ0JGxppwx8yRbDonX84JRMpw@mail.gmail.com>

On 21 April 2014 06:54, Albert Lunde <atlunde@panix.com> wrote:
> I doubt that most web browser clients have a security model
> that can reliably identify "potentially-attacker-supplied data"; too much of
> the content, including JavaScript _is_ potentially-attacker-supplied, and
> there are too many back doors from one context to another.

That's not true.  Web browser clients have very robust attribution
models.  We don't necessarily want to use those, because it's a fair
complexity burden.

The real problem here is less with clients, but servers.  The BEAST
demonstrations exploited servers that dynamically compressed content
without regard to the source of the compressed content.

Received on Monday, 21 April 2014 16:35:49 UTC